freeipa
Contents
About
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.
Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.
Provides
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (host based access control)
- Audit (this component is deferred)
What can FreeIPA do for you
### WIP
For some internal zones we're using isc-dhcp-server to dynamically update the isc-bind9 forward and reverse resource records. The ipa-client can update these records (A, AAAA, PTR, PTR6), even adds the SSHFP record (for easy ssh hostkey checking), while being authenticated via GSSAPI/Kerberos.
FreeIPA adds a feature rich graphical frontend to bind. This is a feature i only knew from PowerDNS via its API.
Prerequisites
- 2-3 RHEL/Fedora/CentOS VMs (Debian is also possible)
Generally it is recommended to have at least 2-3 replicas in each datacenter. There should be at least one replica in each datacenter with additional FreeIPA services like PKI or DNS if used. Note that it is not recommended to have more than 4 replication agreements per replica.
- This are a security device and should enforce the usage of
Mandatory Access Control (MAC) based on SELinux by default, which is supported best on RHEL, Fedora or CentOS. For a discussion of which RHEL-based distribution to chose, please see Fedora vs. CentOS vs. RHEL.
This VMs are only for FreeIPA. For reasons of Performance, Stabilty, Security, Maintainability, Upgradablity, …
- Hardware
A basic user entry or a simple host entry with a certificate is approximately 5-10 kB in size.
- For 10,000 users and 100 groups: at least 3 GB of RAM and 1 GB swap space
- For 100,000 users and 50,000 groups: at least 16 GB of RAM and 4 GB of swap space.
- Kerberos Realm Name
- that does not currently and
will in future not collide with any other REALM like "IPA.ROCKSTABLE.IT".
- that does not currently and
- Some DNS-Records
- TXT record for Kerberos-REALM
- SRV records for discovery of the FreeIPA by the clients
Installation
Prepare VM with RHEL-based#CentOS_Stream-1
Red Hat Customer Portal - Installing packages required for an IdM server
dnf module enable idm:DL1
1 Last metadata expiration check: 1:00:31 ago on Tue 22 Sep 2020 07:33:55 PM CEST.
2 Dependencies resolved.
3 ================================================================================
4 Package Architecture Version Repository Size
5 ================================================================================
6 Enabling module streams:
7
8 389-ds 1.4
9 httpd 2.4
10 idm DL1
11 pki-core 10.6
12 pki-deps 10.6
13 Transaction Summary
14 ================================================================================
15
16 Is this ok [y/N]: y
17 Complete!
Change to the new packages provided by the new module dnf distro-sync
Install the idm module
1 dnf module install idm:DL1/{client,dns,server}
Configure
Configure an IPA server
1 # ipa-server-install
2 …
3 The ipa-client-install command was successful
4
5 Please add records in this file to your DNS system: /tmp/ipa.system.records.4ykg3ahr.db
6 ==============================================================================
7 Setup complete
8
9 Next steps:
10 1. You must make sure these network ports are open:
11 TCP Ports:
12 * 80, 443: HTTP/HTTPS
13 * 389, 636: LDAP/LDAPS
14 * 88, 464: kerberos
15 UDP Ports:
16 * 88, 464: kerberos
17 * 123: ntp
18
19 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
20 This ticket will allow you to use the IPA tools (e.g., ipa user-add)
21 and the web user interface.
22
23 Be sure to back up the CA certificates stored in /root/cacert.p12
24 These files are required to create replicas. The password for these
25 files is the Directory Manager password
26 The ipa-server-install command was successful
27 ipa-server-install 40.05s user 5.05s system 4% cpu 15:06.50 total
There is a install log /var/log/ipaserver-install.log
column -t /tmp/ipa.system.records.4ykg3ahr.db
1 _kerberos-master._tcp.2a.rockstable.it. 86400 IN SRV 0 100 88 ipa2.2a.rockstable.it.
2 _kerberos-master._udp.2a.rockstable.it. 86400 IN SRV 0 100 88 ipa2.2a.rockstable.it.
3 _kerberos.2a.rockstable.it. 86400 IN TXT "ROCKSTABLE.IT"
4 _kerberos._tcp.2a.rockstable.it. 86400 IN SRV 0 100 88 ipa2.2a.rockstable.it.
5 _kerberos._udp.2a.rockstable.it. 86400 IN SRV 0 100 88 ipa2.2a.rockstable.it.
6 _kpasswd._tcp.2a.rockstable.it. 86400 IN SRV 0 100 464 ipa2.2a.rockstable.it.
7 _kpasswd._udp.2a.rockstable.it. 86400 IN SRV 0 100 464 ipa2.2a.rockstable.it.
8 _ldap._tcp.2a.rockstable.it. 86400 IN SRV 0 100 389 ipa2.2a.rockstable.it.
9 ipa-ca.2a.rockstable.it. 86400 IN A 172.18.128.7
Now
If necessary, create the DNS#SRV Kerberos records.
- Open the firewall on the host for freeipa
please see Firewalld
First Access
It is much preferable to have direct access to the web-service by simple routing, VPN or a remote terminal-server.
I chose the terminal-server option.
The web-server redirects instantly to https, which is a privileged port < 1024 and uses the server hostname. So if you need to have access via ssh-tunnel, it's getting interesting.
Defeating the firewall
Shutdown any webservers on the interface and port (tcp/443), because ssh will later bind to it.
Alter local DNS resolution by mapping the target domain name to 127.0.0.1. (Maybe there is a browser plugin for this purpose,) but i haven't found it.
/etc/hosts
1 127.0.0.1 ipa2.2a.rockstable.it ipa2
Some notes
This works in my setup, because i use a JumpHost and the target is resolved there. But to make the Website work, you may first need to connect to the name and later
- enable the hosts-entry or
create a host entry in your ~/.ssh/config with the ip address or
even simpler just use the ip-address as target in the ssh command instead.
With sudo
Configure JumpHost in root ssh-config, because all cli options are for the target. /root/.ssh/config
Connect via ssh
And visit https://localhost/
With authbind
Install authbind
1 apt install authbind
Configure authbind (the file must be executable for the user) {{{!highlight bash sudo -- install -u tobias -g root -m 700 \
- /dev/null \ /etc/authbind/byport/443
}}}
For other options please see man authbind
Connect via ssh
And visit https://localhost/
Trouble Shooting
1 root@ipa2 ~ # ipa-server-install --setup-dns
2
3 The IPA server requires an administrative user, named 'admin'.
4 This user is a regular system account used for IPA server administration.
5
6 IPA admin password:
7 Password must not contain control characters
8 IPA admin password:
9 Password (confirm):
10
11 Checking DNS domain 2a.rockstable.it., please wait ...
12 DNS zone 2a.rockstable.it. already exists in DNS and is handled by server(s): ['ns4.rockstable.org.', 'ns3.rockstable.org.']
13 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
In this case the option --allow-zone-overlap may help. Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
Manage from CLI
Get a ticket
1 root@ipa2 ~ # ipa
2 ipa: ERROR: did not receive Kerberos credentials
3 1 root@ipa2 ~ # kinit tobias
4 Password for tobias@ROCKSTABLE.IT:
5 root@ipa2 ~ # ipa
6 Usage: ipa [global-options] COMMAND [command-options]
7
8 Manage an IPA domain
9
10 Options:
11 --version show program's version number and exit
12 -h, --help Show this help message and exit
13 -e KEY=VAL Set environment variable KEY to VAL
14 -c FILE Load configuration from FILE.
15 -d, --debug Produce full debuging output
16 --delegate Delegate the TGT to the IPA server
17 -v, --verbose Produce more verbose output. A second -v displays the
18 XML-RPC request
19 -a, --prompt-all Prompt for ALL values (even if optional)
20 -n, --no-prompt Prompt for NO values (even if required)
21 -f, --no-fallback Only use the server configured in /etc/ipa/default.conf
22
23 See "ipa help topics" for available help topics.
24 See "ipa help <TOPIC>" for more information on a specific topic.
25 See "ipa help commands" for the full list of commands.
26 See "ipa <COMMAND> --help" for more information on a specific command.
27
28 Error: Command not specified
With the ticket you may now also take a look into the database.
1 ldapsearch objectclass=\*| vim -
Bind backend
In FreeIPA named is compiled to read config from /etc/named.conf
1 options {
2 // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
3 listen-on-v6 {any;};
4
5 // Put files that named is allowed to write in the data/ directory:
6 directory "/var/named"; // the default
7 dump-file "data/cache_dump.db";
8 statistics-file "data/named_stats.txt";
9 memstatistics-file "data/named_mem_stats.txt";
10
11 // If not explicitly set, the ACLs for "allow-query-cache" and
12 // "allow-recursion" are set to "localnets; localhost;".
13 // If either "allow-query-cache" or "allow-recursion" is set,
14 // the other would be set the same value.
15 // Please refer to /etc/named/ipa-ext.conf
16 // for more informations
17
18 tkey-gssapi-keytab "/etc/named.keytab";
19 pid-file "/run/named/named.pid";
20
21 dnssec-enable yes;
22 dnssec-validation yes;
23
24 /* Path to ISC DLV key */
25 bindkeys-file "/etc/named.iscdlv.key";
26
27 managed-keys-directory "/var/named/dynamic";
28
29 /* crypto policy snippet on platforms with system-wide policy. */
30 // not available
31 };
32
33 /* If you want to enable debugging, eg. using the 'rndc trace' command,
34 * By default, SELinux policy does not allow named to modify the /var/named directory,
35 * so put the default debug log file in data/ :
36 */
37 logging {
38 channel default_debug {
39 file "data/named.run";
40 severity dynamic;
41 print-time yes;
42 };
43 };
44
45 zone "." IN {
46 type hint;
47 file "named.ca";
48 };
49
50 include "/etc/named.rfc1912.zones";
51 include "/etc/named.root.key";
52
53 /* custom configuration snippet */
54 include "/etc/named/ipa-ext.conf";
55
56 /* WARNING: This part of the config file is IPA-managed.
57 * Modifications may break IPA setup or upgrades.
58 */
59 dyndb "ipa" "/usr/lib64/bind/ldap.so" {
60 uri "ldapi://%2fvar%2frun%2fslapd-ROCKSTABLE-IT.socket";
61 base "cn=dns, dc=rockstable,dc=it";
62 server_id "ipa2.2a.rockstable.it";
63 auth_method "sasl";
64 sasl_mech "GSSAPI";
65 sasl_user "DNS/ipa2.2a.rockstable.it";
66 };
67 /* End of IPA-managed part. */
It uses the LDAP back-end plug-in for BIND to load configuration and zones from 389-ds. This is remarkable.
There is also a file for user-provided custom configuration
/etc/named/ipa-ext.conf
1 // Custom managed file.
2 // Here you can set your own options, for instance ACL for recursion access:
3 //
4 // acl "trusted_network" {
5 // localnets;
6 // localhost;
7 // 234.234.234.0/24;
8 // 2001::co:ffee:babe:1/48;
9 // };
10 // options {
11 // allow-recursion {trusted_network;};
12 // allow-query-cache {trusted_network;};
13 // };
14 //
15 // This file will NOT be overridden during updates!
Zone transfer
The idea:
- Leave the master role to freeipa
- Synchronize secondary servers to master, which have generally an earlier or higher availability.
- Forward dynamic zone updates, that are sent to the slave (e.g. from isc-dhcp-server), to the master.
This ensures operation if the master has gone away or is not available, yet.
SOA serial format
According to FreeIPA V3/DNS SOA serial auto-incrementation the format of the serial is
- a unix timestamp or
- a number larger than the timestamp (to be incremented by 1 each time)
Until Mai 2033 the typical YYYYMMDDNN serial is bigger than the unix timestamp. That's why these kind of serials should not be used, because the serial is not parsed and therefore the date is not refreshed. Using the timestamp this information is not lost.
So if your zone was formerly using this serials you need to set it lower than the unix timestamp in freeipa on the slave or nothing happens.
Zone transfer with TSIG (keybased)
To create a TSIG key please see bind9#dnssec-keygen_-_TSIG and return back here.
FreeIPA has no support for TSIG keys in the webfrontend. Howto/DNS updates and zone transfers with TSIG
On the master (FreeIPA) the custom configuration snippet may be used to insert the key.
/etc/named/ipa-ext.conf
1 // Custom managed file.
2 // Here you can set your own options, for instance ACL for recursion access:
3 //
4 // acl "trusted_network" {
5 // localnets;
6 // localhost;
7 // 234.234.234.0/24;
8 // 2001::co:ffee:babe:1/48;
9 // };
10 // options {
11 // allow-recursion {trusted_network;};
12 // allow-query-cache {trusted_network;};
13 // };
14 //
15 // This file will NOT be overridden during updates!
16
17 // KEY THE BIND9 (SLAVE) ON KVM2 USES TO FETCH THE ZONE
18 key "kvm2_rockstable_org" {
19 algorithm hmac-sha512;
20 secret "FO07a2PRNLWVH0H8Thb4JyO/4WqJQio44jyclTrWLoc4gdKrosnBWIJlx/1Ss+EjhcFSJ5og4krZHmQ+eGT/FQ==";
21 };
22
23 // KEY THE DHCP-SERVER USES TO UPDATE THE ZONE (FORWARED BY KVM2)
24 key DHCP_UPDATER {
25 algorithm HMAC-SHA512;
26 secret "KeyExtractedFromPrivateFile==";
27 };
You may not specify a TSIG key in the webfrontend form for AllowTransfer, the value is validated to be a IPv4/6 address. :-| We have to set it directly in ldap. The WebUI still fetches the value from ldap, displays it and complains on save. So this has to be done ever and ever again. :-/
1 ### ACQUIRE TGT
2 kinit admin
3 ### TAKE A LOOK
4 ldapsearch -Y GSSAPI -b "cn=dns,dc=rockstable,dc=it" -s one "(objectclass=*)"
5 ### ALLOW THE KEY
6 ldapmodify -Y GSSAPI << EOF
7 dn: idnsname=2a.rockstable.it.,cn=dns,dc=rockstable,dc=it
8 changetype: modify
9 replace: idnsAllowTransfer
10 idnsAllowTransfer: key "kvm2_rockstable_org";
11 -
12 EOF
13 SASL/GSSAPI authentication started
14 SASL username: admin@ROCKSTABLE.IT
15 SASL SSF: 256
16 SASL data security layer installed.
17 modifying entry "idnsname=2a.rockstable.it.,cn=dns,dc=rockstable,dc=it"
On the slave (simple bind9), the key is inserted in
/etc/bind/named.conf.auth
On the slave configure the (former master) zone as a slave in
/etc/bind/named.conf.local
1 // 2a: INTRANET DMZ; LEVEL 2; ACCESS
2 zone "2a.rockstable.it" {
3 type slave;
4 // ZONE OF TYPE "slave" MUST HAVE "masters"
5 masters { masters_ipa_rockstable_it; };
6 masterfile-format text; # (text|raw)
7 file "/var/lib/bind/zones/db.it.rockstable.2a";
8 journal "/var/lib/bind/journal/db.it.rockstable.2a.jnl"; # string ;
9 allow-query { localhost; kvm2_nets_int; }; # { address_match_list };
10 allow-query-on { localhost; kvm2_ifaces_int; }; # { address_match_list };
11 allow-update-forwarding { localhost; kvm2_nets_int; }; # { address_match_element; ... };
12 check-names warn; # (warn|fail|ignore) ;
13 notify yes; # yes_or_no | explicit | master-only ;
14 zone-statistics yes; # yes_or_no ;
15 };
Check the configuration on both nodes with named-checkconf!
Check if the firewall is opened between primary and secondary!
Open the logs.
Migration
Check the logs!
Add a NS-record to the master zone for the new slave server, to ensure it is notified on changes.
The slave forwards dynamic update requests to the master with allow-update-forwarding. To allow dynamic updates add a "Update Policy" to the zone in the FreeIPA WebUI.
1 grant DHCP_UPDATER zonesub ANY;
Enroll clients
Preparation
Make sure you have
- deployed all the DNS-records for autodiscovery.
- This is importtant to get failover working correctly.
- opened the firewall, so the client can communicate with the server.
Install
And gather the info you need during installation
Key |
Value |
Kerberos Realm |
ROCKSTABLE.IT |
Kerberos Server |
ipa2.2a.rockstable.it |
Kerberos Administration Server |
ipa2.2a.rockstable.it |
Install the client
1 apt install freeipa-client
Key |
Value |
IPA domain name |
2a.rockstable.it |
IPA server name |
ipa2.2a.rockstable.it |
Enrollment Username |
tobias |
Enrollment Password |
__very_long_password__ |
Enroll the client (with fixed values)
1 ipa-client-install
2 This program will set up FreeIPA client.
3 Version 4.7.2
4
5 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
6 in favor of chronyd
7
8 DNS discovery failed to determine your DNS domain
9 Provide the domain name of your IPA server (ex: example.com): 2a.rockstable.it
10 Provide your IPA server name (ex: ipa.example.com): ipa2.2a.rockstable.it
11 The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
12 Autodiscovery of servers for failover cannot work with this configuration.
13 If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
14 Proceed with fixed values and no DNS discovery? [no]: yes
15 Client hostname: secl.2a.rockstable.it
16 Realm: ROCKSTABLE.IT
17 DNS Domain: 2a.rockstable.it
18 IPA Server: ipa2.2a.rockstable.it
19 BaseDN: dc=rockstable,dc=it
20
21 Continue to configure the system with these values? [no]: yes
22 Synchronizing time
23 No SRV records of NTP servers found and no NTP server or pool address was provided.
24 Using default chrony configuration.
25 Attempting to sync time with chronyc.
26 Time synchronization was successful.
27 User authorized to enroll computers: tobias
28 Password for tobias@ROCKSTABLE.IT:
29 Successfully retrieved CA cert
30 Subject: CN=Certificate Authority,O=ROCKSTABLE.IT
31 Issuer: CN=Certificate Authority,O=ROCKSTABLE.IT
32 Valid From: 2020-09-24 11:52:29
33 Valid Until: 2040-09-24 11:52:29
34
35 Enrolled in IPA realm ROCKSTABLE.IT
36 Created /etc/ipa/default.conf
37 Configured sudoers in /etc/nsswitch.conf
38 Configured /etc/sssd/sssd.conf
39 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
40 Systemwide CA database updated.
41 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
42 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
43 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
44 Could not update DNS SSHFP records.
45 SSSD enabled
46 Configured /etc/openldap/ldap.conf
47 Configured /etc/ssh/ssh_config
48 Configured /etc/ssh/sshd_config
49 Configuring 2a.rockstable.it as NIS domain.
50 Client configuration complete.
51 The ipa-client-install command was successful
Some errors related to NTP and DNS, probably due to my legendary and conflicting DNS-setup.
- Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
- The installer was not able to update the SSHFP records in my setup.
- No SRV-records for NTP
The freeipa-client-installer may pick not a hostname you want. There are some nice effects in combination with NetworkManager, /etc/network/interfaces and multiple interfaces.
Changed the client nameservers in /etc/resolv.conf to point to the FreeIPA-server.
And tried again.
1 root@secl /etc # ipa-client-install --hostname="secl.2a.rockstable.it" --force-join
2 This program will set up FreeIPA client.
3 Version 4.7.2
4
5 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
6 in favor of chronyd
7
8 Discovery was successful!
9 Client hostname: secl.2a.rockstable.it
10 Realm: ROCKSTABLE.IT
11 DNS Domain: 2a.rockstable.it
12 IPA Server: ipa2.2a.rockstable.it
13 BaseDN: dc=rockstable,dc=it
14
15 Continue to configure the system with these values? [no]: yes
16 Synchronizing time
17 No SRV records of NTP servers found and no NTP server or pool address was provided.
18 Using default chrony configuration.
19 Attempting to sync time with chronyc.
20 Time synchronization was successful.
21 User authorized to enroll computers: tobias
22 Password for tobias@ROCKSTABLE.IT:
23 Successfully retrieved CA cert
24 Subject: CN=Certificate Authority,O=ROCKSTABLE.IT
25 Issuer: CN=Certificate Authority,O=ROCKSTABLE.IT
26 Valid From: 2020-09-24 11:52:29
27 Valid Until: 2040-09-24 11:52:29
28
29 Enrolled in IPA realm ROCKSTABLE.IT
30 Created /etc/ipa/default.conf
31 Configured sudoers in /etc/nsswitch.conf
32 Configured /etc/sssd/sssd.conf
33 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
34 Cannot connect to the server due to Kerberos error: Major (851968): nicht spezifizierter GSS-Fehlschlag. M?glicherweise stellt der untergeordnete Code weitere Informationen bereit., Minor (2529639066): KDC f?r Realm >>ROCKSTABLE.IT<< kann nicht gefunden werden. Trying with delegate=True
35 Second connect with delegate=True also failed: Major (851968): nicht spezifizierter GSS-Fehlschlag. M?glicherweise stellt der untergeordnete Code weitere Informationen bereit., Minor (2529639066): KDC f?r Realm >>ROCKSTABLE.IT<< kann nicht gefunden werden
36 Installation failed. Rolling back changes.
37 Unenrolling client from IPA server
38 Unenrolling host failed: Error obtaining initial credentials: Cannot find KDC for requested realm.
39
40 Removing Kerberos service principals from /etc/krb5.keytab
41 Disabling client Kerberos and LDAP configurations
42 Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
43 Restoring client configuration files
44 nscd daemon is not installed, skip configuration
45 nslcd daemon is not installed, skip configuration
46 Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state
47 Some installation state has not been restored.
48 This may cause re-installation to fail.
49 It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may
50 mean your system hasn't been restored to its pre-installation state.
51 Client uninstall complete.
52
53 The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Okay, the KDC of realm "ROCKSTABLE.IT" cannot be found in the delegating DNS-zone. There is probably something missing.
And it fails again.
Now tryit with new options
--hostname make sure to pick th right hostname
--force-join overwrite existing instance
--force force configuration even if a error occurs, during some of the tests e.g. KDC not found
1 root@secl /etc # ipa-client-install \
2 --hostname="secl.2a.rockstable.it" \
3 --force-join --force
4 This program will set up FreeIPA client.
5 Version 4.7.2
6
7 WARNING: conflicting time&date synchronization service 'ntp' will be disabled
8 in favor of chronyd
9
10 Discovery was successful!
11 Client hostname: secl.2a.rockstable.it
12 Realm: ROCKSTABLE.IT
13 DNS Domain: 2a.rockstable.it
14 IPA Server: ipa2.2a.rockstable.it
15 BaseDN: dc=rockstable,dc=it
16
17 Continue to configure the system with these values? [no]: yes
18 Synchronizing time
19 No SRV records of NTP servers found and no NTP server or pool address was provided.
20 Using default chrony configuration.
21 Attempting to sync time with chronyc.
22 Time synchronization was successful.
23 User authorized to enroll computers: tobias
24 Password for tobias@ROCKSTABLE.IT:
25 Successfully retrieved CA cert
26 Subject: CN=Certificate Authority,O=ROCKSTABLE.IT
27 Issuer: CN=Certificate Authority,O=ROCKSTABLE.IT
28 Valid From: 2020-09-24 11:52:29
29 Valid Until: 2040-09-24 11:52:29
30
31 Enrolled in IPA realm ROCKSTABLE.IT
32 Created /etc/ipa/default.conf
33 Configured sudoers in /etc/nsswitch.conf
34 Configured /etc/sssd/sssd.conf
35 Configured /etc/krb5.conf for IPA realm ROCKSTABLE.IT
36 Systemwide CA database updated.
37 Hostname (secl.2a.rockstable.it) does not have A/AAAA record.
38 Incorrect reverse record(s):
39 172.18.128.9 is pointing to secl.2a.rockstable.it.2a.rockstable.it. instead of secl.2a.rockstable.it.
40 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
41 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
42 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
43 SSSD enabled
44 Configured /etc/openldap/ldap.conf
45 Configured /etc/ssh/ssh_config
46 Configured /etc/ssh/sshd_config
47 Configuring 2a.rockstable.it as NIS domain.
48 Client configuration complete.
49 The ipa-client-install command was successful
Okay, we're in for the moment. But the problem with the delegating zone is still there.